Data integrity, Pharmaceutical industry, Good Manufacturing Practice, GMP, Guidelines, Data management, DI and GMP Compliance, paper and electronic data, Archive and back up
2. Overview
1. Guidelines
2. Principles of DI
3. Data Integrity Risk Assessment (DIRA)
4. Data Criticality and Risk
5. Design Robust Compliance System
6. Data interpretation and Good Documentation Practices (GDocP)
3. Principles of Data Integrity (DI)
1. Data recorded as per GMP requirement and ensuring data is complete, consistent and
accurate throughout the lifecycle i.e paper or electronic
2. Organisational culture, behaviour encouraging to create right environment to
implement effective Data integrity on site
3. Data governance policy should be effectively endorsed at the highest level
4. Data Integrity Risk Assessment (DIRA)
5. Develop system to maintain and control data, periodic DI audit
6. Contingency procedure should not impact on DI controls. Apply to automated
computerized system to paper-based system, vice versa.
7. Holistic approach for any identified DI weakness
8. Notification to regulatory authority where significant DI incident identify.
9. Effectively implementation of ALCOA+
4. Data Integrity Risk Assessment (DIRA)
1. Consider factors impacting on process or function on the system
2. Common factors are: Computerised system, People, SOP, training, Quality system
3. Automated validated system reduce DI risk
4. Human intervention influence on data record, report, retain, verification, poor
systematic control, poor validation plan increase DI risk
5. DI risk remediation action should be documented, discuss and review by Quality
management
6. DI risk remediation actions should categorise by long term and short term. Where
long term action require, short term action has clearly target problem
5. Data Criticality and Risk
1. Critical data influence on Quality, Safety and Efficacy decision
2. Risk of data deletion, amendment, exclusion without authorisation and lost of
traceability
3. Process complexity, inconsistency, inconclusive outcome increase data risk
4. Common data sources are Paper, electronic, Hybrid, other
4.1. Paper Data: Hand written, printed data require second independent verification (risk
reducing measure)
4.2. Electronic: Complexity of the electronic system. Validation of electronic system to
reduce risk e.g. functionality, configuration, user intervention, data lifecycle
4.3. Hybrid: Combination of paper and electronic data.
4.4. Other: photograph, image, photocopy where original copy fade control storage of
data.
6. Design Robust Compliance System
1. Synchronised clock system for traceable time stamp with correct time zone
2. Control over raw data recording and it’s accessibility
3. Use of controlled logbook with number page to prevent recreation of primary data
4. Access control of computerised system to prevent amendment of data, audit trail
5. Use of interface e.g. Barcode scanner, Automated weighing Printer, Badge access
system to eliminate manual entries and reduce human interaction
6. Trained people, validated system
7. Access of record , reconciliation of printouts to Data verification team
8. Promote work environment that provide sufficient time, equipment, clear
instruction
9. SME involvement in Risk assessment, Quality Metrics for DI
7. Design Robust Compliance System
1. Use of scriber to record data should be justifiable
Contemporaneous recording
Clearly identify who is performing task
All involved persons should trained to carry out activity
Task briefing should be given to all persons involved
Document should be singed by all persons involved
8. Data Interpretation and GDocP
1. What information are consider as Data
Original records
True copies of original records
Sourced data (Printout from HMI e.g. SIP, CIP, Autocalve, Balance, HPLC, FTIR)
Metadata
Reports printouts
Any information recorded at the time of activity perform
Data allows to reconstruct and evaluate carried out GxP activity.
9. Data Interpretation and GDocP
GDocP are those measures that collectively and individually ensure Documentation,
whether paper or electronic are following the principles of ‘ALCOA+’
Documents use for GMP purpose should comply with GDocP i.e. BMR, logbook,
Specification, SOP, Analytical method, Protocol, Qualification Doc, CofA, TA, PQR
Document handling procedure i.e Retention, Archiving, Periodic review
ALCOA + (Plus)
Attributable Consistent
Legible Complete
Contemporaneous Enduring
Original Available
Accurate
10. Data Interpretation and GDocP
ALCOA
Attributable – clear who has capture and
document the data
Legible – readable and stay in permanent
format throughout life cycle
Contemporaneous – recorded at the time
of activity
Original – first recorded data, not ‘True
copy’
Accurate – True representation of Fact
ALCOA+
Consistent – recorded in same way
Complete – Complete pack of data
including metadata
Enduring – long lasting durable storage
(paper, electronic)
Available – Retrievable and accessible for
review
11. Data Interpretation and GDocP
2. What is Raw data?
Original report, first captured information and should endure during lifecycle of data
Raw data could be paper or electronic
If data capture electronically and print as per requirement then electronic data is a
raw
raw data which can reproduce
If electronic system does not store data then print out is the raw data
If electronic system have limited storage capacity then data should be periodically
review and paper copy to keep
Electronic data storage, back up and periodic review to carry out as per site
procedure
12. Data Interpretation and GDocP
3. What is Metadata?
Describe the attribute of other data and provide context and meaning.
It is a part of original data but original data has no meaning if context not provide
by metadata.
4. What is Data Governance?
Any form of data generation are recorded, processed, retain and available to use
for
data lifecycle.
Data ownership and accountability
Data access restriction, handling, encourage reporting of errors, omissions, OOS
13. Data Interpretation and GDocP
5. What is Data lifecycle?
Data to retain and accessible in original form from generation, recording, use,
retention, archive/retrieval and destruction to ensure DI.
6. Recording data
Should meet ALCOA+ principles
Recording methods should be controlled and traceable
7. Data transfer / migration
Storage media can change without changing the original data
Storage media, data transfer process should be validated, audit trail availability
Electronic worksheet should be controlled
14. Data Interpretation and GDocP
8. Data Processing
Original data should available throughout life cycle
Data process should not manipulate data to get desirable result e.g. Chromatogram
9. Excluding Data
Should demonstrate with valid scientific justification and recorded with original data
Excluded data should retain with throughout lifecycle
10. Original Record
First source of information cab ne paper, observation, electronic record including
any
supportive data require to re-generate the GxP activity.
Original record can be static and dynamic
15. Data Interpretation and GDocP
11. True copy
A verified copy by second person which contains same data, information as
original
copy. This can be paper, electronic and retain throughout the data lifecycle.
12. Computerised system transaction
It can be single or series of operation to perform the transaction. This can be
perform manually or control by automated system
Critical steps should perform, record contemporaneously and save before make
any change
E-signature, audit trail should introduce to capture data even
16. Data Interpretation and GDocP
13. Audit trail
A form of metadata containing information associated with actions that relate
to creation, modification or deletion of GxP records.
Secure recording of any type modification of data such as creation, additions,
deletions, alterations e.g. Paper or Electronic
Audit trail facilitate the reconstruction of historical event during investigation
System should be risk assessed for clearly identified use access level
Computerised system should always provide retention of audit trail to review
changes
Where Audit trail not possible, alternative method should in in place e.g.
logbook
Audit trail should review periodically, part of data approval by trained reviewer
17. Data Interpretation and GDocP
14. Electronic signature (e-sign)
Digital form of signature equivalent in legal terms of hand written signature
Control of e-sign: attributable, no manipulation, legible, security of access by
owner
Where pdf, paper copy e-sign, metadata should be documented with original
Method of authentication of e-sign should be risk assess
Only inserted image , footnote without metadata is not adequate for e-sign
18. Data Interpretation and GDocP
15. Data review and approval
Should be a SOP to describe review and approve data
Error should be addressed as per procedure e.g. Comments, Deviation
Correction, recording, process should follow ALCOA+
Electronic report should customise to provide all necessary information require
for
review and approval of report and related documents
If data provided by other organisation, then receiving organise should evaluate
the data
Data integrity of data supplier and generator
Clearly identify category of routine and periodic data review
19. Data Interpretation and GDocP
16. Computerised system user access/system administrator roles
Access as per functionality appropriate to job role
Company must able to demonstrate regarding user access level
Individual login require for audit trail to ensure data integrity
Generic user access should not be used, additional license purchase should be
available
System not use for GxP purpose but contain GxP data must demonstrate control
over user access
System admin rights should not conflict interest of data use
20. Data Interpretation and GDocP
17. Data retention
Data archive , back up procedure and policy should available
Data retention should ensure to protect data from deliberate, inadvertent
alteration or loss
Data security should ensure by controlling measure or validate system
Original/true copy paper data can be stored by validating scanning process
and control storage location
Data destruction procedure should consider criticality and applicable legislative
retention requirements
21. Data Interpretation and GDocP
18. Archive and back up
Designated secure area for long term, retention of data and metadata for the
purpose of verification of the process or activity
Should be protected for any alteration and event like fire, flood, pest
Should be an arrangement to permit recovery of data, able to perform full
verification
Virtual system can be use for legacy system which are no longer supported
If full data migration of original is not achievable, risk based approach in place to
protect data
Original data pack including metadata configure to maintain for recovery including
disaster recovery
Backup and recovery process should be validated, periodically tested, functionality
Back up policy and procedure should be in place
Back up policy should not affect retention policy
22. Data Interpretation and GDocP
19. File structure
DI risk assessment should define GxP use, software functionality for intended use,
control and security over generated file
20. Validation for intended purpose
Comply with regulatory requirement
Functional verification should be demonstrated
internal requalification schedule should be available
21. IT supplier and service provider
For ‘cloud’ and ‘virtual’ service provider ownership, retrieval, retention, data security
should consider
Impact of law application of geographical location where data are physically stored
Technical agreement should clearly define responsibilities of contract giver and
acceptor
Software/system restoration should be made as per GxP